97 lines
2.9 KiB
Org Mode
97 lines
2.9 KiB
Org Mode
|
# Created 2020-09-29 Tue 14:43
|
||
|
#+TITLE: Work Time Tracker
|
||
|
#+AUTHOR: Yann Esposito
|
||
|
* add idp-mapping during org creation
|
||
|
- ref :: https://github.com/threatgrid/iroh/issues/4204
|
||
|
|
||
|
The =Org= schema contains an optional field named =idp-mapping=:
|
||
|
|
||
|
#+begin_src clojure
|
||
|
(s/defschema OrgIdPMapping
|
||
|
(st/open-schema
|
||
|
{:idp (describe s/Str "Internal idp-id")
|
||
|
:organization-id (describe s/Str "the organization id provided by the IdP")
|
||
|
:enabled? (describe s/Bool "Do we allow the connection through this IdP?")}))
|
||
|
|
||
|
(s/defschema NewOrg
|
||
|
"Org before being saved to DB"
|
||
|
(st/merge
|
||
|
{:id s/Str}
|
||
|
(st/optional-keys
|
||
|
{,,,
|
||
|
:idp-mapping OrgIdPMapping
|
||
|
,,
|
||
|
})))
|
||
|
#+end_src
|
||
|
|
||
|
To support CSA Migration it should be replaced by:
|
||
|
|
||
|
#+begin_src clojure
|
||
|
(s/defschema OrgIdPMapping
|
||
|
{:idp (describe s/Str "Internal idp-id")
|
||
|
:organization-id (describe s/Str "the organization id provided by the IdP")
|
||
|
:enabled? (describe s/Bool "Do we allow the connection through this IdP?")})
|
||
|
|
||
|
(s/defschema NewOrg
|
||
|
"Org before being saved to DB"
|
||
|
(st/merge
|
||
|
{:id s/Str
|
||
|
:idp-mapping OrgIdPMapping}
|
||
|
(st/optional-keys
|
||
|
{:old-idp-mapping OrgIdPMapping
|
||
|
,,,
|
||
|
})))
|
||
|
#+end_src
|
||
|
|
||
|
This issue is about a first step toward this goal.
|
||
|
|
||
|
So at the end of this issue the schemas should be:
|
||
|
|
||
|
#+begin_src clojure
|
||
|
(s/defschema OrgIdPMapping
|
||
|
{:idp (describe s/Str "Internal idp-id")
|
||
|
(s/optional-key :organization-id) (describe s/Str "the organization id provided by the IdP")
|
||
|
:enabled? (describe s/Bool "Do we allow the connection through this IdP?")})
|
||
|
|
||
|
(s/defschema NewOrg
|
||
|
"Org before being saved to DB"
|
||
|
(st/merge
|
||
|
{:id s/Str}
|
||
|
(st/optional-keys
|
||
|
{:idp-mapping OrgIdPMapping
|
||
|
,,,
|
||
|
})))
|
||
|
#+end_src
|
||
|
|
||
|
So, depending on the Identity Provider (IdP) some provide an
|
||
|
=organization-id= some don't.
|
||
|
|
||
|
IROH-Auth currently work with 3 IdPs:
|
||
|
|
||
|
- IDB AMP (stand for Identity Broker that proxy the SAML AMP/Castle
|
||
|
Identity Provider)
|
||
|
- IDB TG (Identity Broker proxy the Threatgrid OpenID Connect)
|
||
|
- SxSO (Okta)
|
||
|
|
||
|
SxSO is the only IdP from which we do not care about the =organization-id=.
|
||
|
So organization created through login via IDB AMP or IDB TG will be called
|
||
|
/managed orgs/. Mainly the IdP is responsible for the name of the =org-id=.
|
||
|
|
||
|
For managed orgs, we create the org using the function =iroh-auth.iroh-auth-service.core/sync-user-org=.
|
||
|
Which will use the value returned by =iroh-auth.org-service.core/get-org-by-session-infos=.
|
||
|
|
||
|
So this last function should be modified to always have a field
|
||
|
=idp-mapping=.
|
||
|
|
||
|
During logins via SxSO (or any IdP that does not manage orgs) the
|
||
|
=organization-id= must not be set.
|
||
|
|
||
|
During logins via AMP or TG (or any IdP that manage orgs ) the
|
||
|
=organization-id= of the =OrgIdPMapping= must be set to the value returned
|
||
|
by the IdP.
|
||
|
|
||
|
Note there might be some work to get the information if some IdP manage org
|
||
|
or not.
|
||
|
This information is put in =config.edn=.
|
||
|
Every IdP has a =:manage-orgs= field.
|